We have a physical/logical topology as follows:

(internet) -- (ASA 5520) -- (Catalyst 3750) -- (Nexus 5548) -- (ESXi 5.1 hosts) -- (dvSwitch) -- (Windows 2012 NLB for Direct Access)

We've already made the obvious changes that are widely publicized for NLB in multicast mode:

3750 (default gateway / router):

arp 10.19.0.51 03bf.0a13.0033 ARPA

Nexus 5548 (physically attached to ESXi hosts):

mac address-table static 03bf.0a13.0033 vlan 200 interface Ethernet1/9 Ethernet1/10 Ethernet1/11

Internally both NLB VMs are pingable on their dedicated IPs (10.19.0.69, .70, respectively) and their VIP (.51). They also are pingable from the 3750 (the 5548 is L2 only, so can't test there). Furthermore, the MAC address tables on the 3750, 5548, and ASA 5520 all have the IPs and MACs (.69, .70, and .51) accurately.

For two weeks it worked perfectly. Then last Friday (3/15) we applied ESXi patches which vMotion'd the VMs around. At that point, Direct Access / NLB broke.

On the ASA 5520, I can ping the VIP (.51) but cannot either of the dedicated IPs (.69, .70). I've tried adding static ARP entries w/ and w/o "alias" at the end, to no avail. It doesn't seem to matter, since my ping initiation (via SSH/CLI) refreshes the ARP table accurately. When we disconnected one of the VMs (or the other), I'd occasionally be able to ping one or even both of the dedicated IPs, but only briefly before it failed to respond again.

Are we missing something on the ASA? Can't find much else that is purported to be required. Any help is appreciated!